Xerox Product Security for Secure Printing

At Xerox, product security issues are front and center. As a leader in the development of digital technology, Xerox has demonstrated a commitment to keeping digital information safe and secure by identifying potential vulnerabilities and proactively addressing them to limit risk. Customers have responded by looking to Xerox as a trusted provider of secure printing solutions with many standard and optional product security features.

Xerox production devices are, of course, designed for speed and include high output features. Xerox office devices are the highest-speed devices in the industry to receive Common Criteria Certification, providing an independent standard for product security. Several of Xerox Corporation’s high-speed digital copiers and advanced multifunction printers have become the fastest office devices in the industry to earn the international standard in information and product security. You may review the Xerox devices that have achieved or are being evaluated for Common Criteria on our Common Criteria page.

These devices join a long list of Xerox mid-speed office products to make it even easier for customers to meet their document production needs and the strict secure printing requirements in the government, military, healthcare, legal and financial sectors. Specific product security features on Xerox devices include:

The Image Overwrite product security option electronically shreds information stored on the hard disk of devices as part of routine job processing. Electronic erasure can be performed automatically at job completion (Immediate), On Demand, and on some models Scheduled. The Xerox Image Overwrite product security process implements a three-pass algorithm originally specified by the U.S. Department of Defense.

All data in motion in and out of the device, as well as data stored within the device, is secured with state of the art encryption. Most Xerox devices support several different protocols for encrypting data in motion in and out of the device including SSL and IP Security (IPSec). Note that scanning, printing, and access to the Web/remote user interface can be secured with either SSL/TLS or IPSec.

Unified ID System integrates your Xerox multifunction priinters with your existing employee/student ID badge solution to provide a flexible and convenient authentication system. Users simply log-in with a swipe of their magnetic or proximity ID card for secure access to multifunction printer features that need to be tracked for accounting or regulatory requirements.

While firewalls work at the network periphery to prevent unauthorized access to a customer's environment, unprotected fax connections in multifunction printers can be an open "back door" into the network. Xerox was the first manufacturer to offer a Common Criteria certified product that assures complete separation of the fax telephone line and the network connection, and continues to include that claim in all product security certifications.

When enabled on Xerox office printers and multifunction printers, this feature monitors the print, copy, scan and fax pages produced and who produces them. Administrators can limit the number of print, copy, scan and fax jobs a user can perform, track activity at a user, group or department level, and manage access to color copying and printing.

When sending a job from a print driver or using the web print submission tool, the user selects the Secure Print method and enters a unique PIN number. Jobs are sent and safely stored at the device until the user enters that same unique PIN to release them. This controls unauthorized viewing of hard copy documents sent to the printer.

A labor saving feature for office and multifunction printers, this allows document-related software applications to be accessed on the user interface to improve workflow and minimize time at the device.

Most customers need to restrict access to a device to a limited set of authorized users and Operators. Xerox production devices include access control features such as:

Authentication Feature:
This feature ensures that only properly authorized users are permitted to use a Production device. Any type of interaction between a user and a Xerox production device is associated with a security account. The association, or logon session, is the basis for granting access to any user. Once the logon session is established, the user can interact with the printer or access customer data, subject to restrictions based on the user's Role.

Role Based Access Control (RBAC): The RBAC feature ensures that authenticated users are assigned to a role of User, Operator, or Administrator. Each role has associated privileges with appropriate levels of access to features, jobs and print queue attributes.

Microsoft Active Directory Services: The Microsoft Active Directory Services (ADS) feature enables the device to authenticate user accounts against a centralized user account database, instead of exclusively using the user account database that is managed locally at the device.

Many Xerox devices also include features to protect the printer from unauthorized remote access and to protect the confidentiality of “data in motion”, specifically customer jobs which are transmitted to the printer over a network. These features include:

IPFiltering: Internet Protocol (IP) Filtering capability enables a system administrator to restrict access to the device to a limited set of IP addresses. This provides a defense against remote attackers. Computers whose IP addresses are outside of the allowed set are not permitted to access the device.

IPSec: Internet Protocol (IP) Security enables the digital front end or printer device to authenticate remote users and requires these users to encrypt the data transmitted using legacy print protocols such as LPR and Port 9100. IPSec is supported by a variety of PC operating systems including all modern versions of Microsoft Windows.

Digital Certificate:
The Digital Certificate feature enables the system administrator to create a self-signed digital certificate, or import a digital certificate signed by a Certificate Authority (e.g., RSA, VeriSign). A digital certificate enables print clients to authenticate a printer/print server and to encrypt data using SSL/TLS.

Network Authentication:
Access to device functions (e.g., scan, e-mail and fax) is restricted by validating network user names and passwords prior to use of these functions.

802.1x Device Authentication:
Office devices implement the 802.1x standard. This allows the device to be authenticated on a network before the network will allow any network traffic to pass to or from the device. This stops rogue devices from infiltrating the network.